Security and Compliance

Data protection

Scribe is committed to protecting your privacy. We ensure data protection through several controls. All of this data is encrypted and protected by access control measures  and alerting and monitoring systems. Scribe offers SSO integration to ensure users are securely authenticated. Scribe does not sell customer data to any third parties.

All data is encrypted in transit and at rest to ensure protection of your data and privacy.

• Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). You can see our SSLLabs report here.
• Encryption at rest: All of our user data (and backups) is encrypted using AES-256 key encryption.

Employee access to the environment in which customer data is stored is granted on a least permissions basis, highly restricted and monitored.

• Access is granted exclusively for troubleshooting, functionality and security purposes.
• All activity in Scribe’s cloud environment is monitored.  Intrusion detection and prevention systems are also in place.
• All our employees sign a Non-Disclosure and Confidentiality Agreement when joining the company to protect our customers' sensitive information.

Alongside Scribe’s infrastructure-based protection measures, we provide users with authentication and SSO integration capabilities.

• We provide a 2-factor authentication mechanism to protect our users from account takeover attacks. Setting up this extra security measure is optional but highly recommended to increase the security of sensitive data.
• We protect our users against data breaches by monitoring and blocking brute force attacks.
• Single sign-on (SSO) is offered for our enterprise customers.
• Role-based access control (RBAC) is offered on enterprise accounts.

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. 

• Scribe does not collect any payment information and is therefore not subject to PCI obligations. Smart Privacy Screen may be enabled if your users intend to use Scribe for systems that may potentially display PCI data.

Compliance

Scribe has a dedicated internal Security and Compliance Team, has successfully passed a SOC 2 Type II audit, executes HIPAA BAA agreements for Enterprise customers and answers information security questionnaires free of charge.

We offer HIPAA BAA agreements to enterprise companies that need to comply with HIPAA regulations. Scribe’s data privacy and information security measures assist in supporting customer requirements for HIPAA compliance.

Scribe has successfully passed SOC 2 Type II audits. Scribe's SOC 2 Type II report is available upon execution of an NDA. Please contact [email protected] for Scribe's SOC 2 Type II report. 

This certification means that an independent auditor has evaluated our product, infrastructure and policies, and certifies that we meet or exceed specific levels of controls and processes for the security of user data.

In addition, we have purchased third-party software that continuously monitors our infrastructure and ensures we are in compliance with our stated policies and procedures.

Infrastructure

Scribe’s infrastructure is hosted in Amazon Web Services (AWS) in SOC 2 Type II and ISO 27001 compliant data centers. Scribe has backup data center regions to ensure high availability.

All of our hosted services run in the cloud. Our cloud environment is protected by intrusion detection and prevention systems with alerting and monitoring in place.  We do not host or run our own routers, load balancers, DNS servers or physical servers. We use Amazon Web Services (AWS) and have no physical infrastructure or physical access to the servers themselves. Our production databases are on Amazon RDS and S3. AWS provides strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices here.

‍

Data retention and removal

Scribe has indefinite  data retention by default to allow for compliance with an array of customer retention needs. Data is deleted immediately and securely upon request.

Users may request to have their data deleted at any time by writing to [email protected]. Please allow 30 days to process your request.

Business continuity and disaster recovery

We back up all our critical assets and regularly run backup restores to guarantee  fast recovery in case of disaster. All our backups are encrypted for data protection.

Scribe has redundant data center zones in place with failover capabilities to ensure availability of services and data. Scribe’s RTO is 8 hours and RPO is 24 hours, providing quick restoration of services in the event of an outage and minimal to no data loss.

Responsible disclosure & security testing

We encourage everyone to practice responsible disclosure and comply with our policies and terms of service.

Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them.

You can report vulnerabilities by contacting [email protected]. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.

Coverage

• *.scribehow.com

Exclusions

• status.scribehow.com
• support.scribehow.com
• blog.scribehow.com

Scribe will accept findings for investigation concerning the below categories of vulnerabilities:

• Cross-Site Scripting (XSS)
• Open redirect
• Cross-site Request Forgery (CSRF)
• Command/File/URL inclusion
• Authentication issues
• Code execution
• Code or database injections

This program does NOT include:

• Logout CSRF
• Account/email enumerations
• Denial of Service (DoS)
• Attacks that could harm the reliability/integrity of our business
• Spam attacks
• Clickjacking on pages without authentication and/or sensitive state changes
• Mixed content warnings
• Lack of DNSSEC
• Content spoofing / text injection
• Timing attacks
• Social engineering
• Phishing
• Insecure cookies for non-sensitive cookies or 3rd party cookies
• Vulnerabilities requiring exceedingly unlikely user interaction
• Exploits that require physical access to a user's machine

Security FAQ

Is Scribe HIPAA compliant?

Scribe can support customer requirements for HIPAA. We are also  willing to execute BAAs to support customers with HIPAA-related requirements. Users may redact any sensitive information such as PHI that’s recorded, and if customers upgrade to Enterprise, they can enable Smart Privacy Screen to automatically redact sensitive information. This can be enabled at the administrator level such that employees cannot disable Smart Privacy Screen.

Can I have a copy of Scribe’s SOC 2 report?

If we have an executed Mutual Non-disclosure Agreement in place, yes. We are happy to execute our customers’ MNDAs (just ensure it is actually mutual and not a one way NDA - send to [email protected] if you have trouble figuring out if it’s mutual).

Why does Scribe request to read all of my web pages?

In short, for functionality. For Scribe to be able to capture processes for users, the application and plugin have to read actions on webpages such as clicks and keystrokes. Scribe only collects user actions when directed by the user to capture. No browsing information is sent if the user doesn’t interact with the browser extension. Users may turn off the plugin or application at any time. Please refer to Scribe’s Privacy Policy for more information on what we collect and why we collect it: https://scribehow.com/privacy/

What security measures does Scribe have in place?

• External Information Security Audit: Scribe is SOC 2 Type II audited annually to verify the efficacy of our information security and business continuity controls.
• Environment and Access Control: Scribe's infrastructure is designed so that development, staging and production environments are entirely segregated, and access to each is based on a least permissions policy.
• Encryption: Data is encrypted both in transit and at rest using industry-standard encryption measures (AES 256 and TLS 1.2/1.3 tunnels), and Scribe has enabled additional user-side features to allow for redaction of data at the Pro and Enterprise level.
• IPS/IDS: Scribe has intrusion detection and prevention systems, as well as logging and monitoring, to ensure the security of our environment.
• Data Minimization: Scribe collects only user data that is essential to the functionality of our platform. Data collection is user-activated for purposes of capturing digital processes. Scribe collects screenshots and action items such as clicks and keystrokes after the user hits "record." Users may stop a Scribe capturing session at any time.